Risk management process - Risk identification
Risk identification is the first step in the risk assessment process noted in the standard for risk management (ISO 31000:2018 Risk management - Guidelines).
This step seeks to proactively identify the risks that the organisation should manage using a consultative process with key stakeholders and assumes effective context setting in the previous step.
This process will usually involve:
A workshop including all key stakeholders (i.e. those that are best equipped to identify and assess the risks and those who will be involved in risk mitigating processes/actions)
Identification of risks through a brainstorming process
Documentation of risks in a Risk Register
Verification of the output by key stakeholders.
This list should always be wide-ranging as unidentified risks can cause major losses through missed opportunities or adverse events occurring. ‘Brainstorming’ will always produce a broad range of ideas and all things should be considered as potential risks.
Relevant stakeholders are the subject experts when considering potential risks to the objectives of the work environment and should be included in all risk assessments being undertaken.
All efforts should be made to identify risk proactively, however risks may also be identified reactively through identification of an issue or an incident. Where this is the case, and there is a future potential for the issue or incident to occur again, it should be recorded as a risk.
Risk identification is ideally undertaken in conjunction with annual business or strategic planning processes. This planning process involves setting of the context and review of existing risks as well as identification and capture of new risks. The process would typically involve a workshop including key stakeholders, facilitated by relevant risk personnel.
When identifying risks, consider the following:
What can happen?
Why will it happen?
Where will it happen?
When will it happen?
How will it happen?
Risks can also be identified through other business operations including policy and procedure development, external audits, customer complaints, incidents, systems analysis and historical factors.