• constantiaconsulting

Risk management process - Risk identification

Risk identification is the first step in the risk assessment process noted in the standard for risk management (ISO 31000:2018 Risk management - Guidelines).


This step seeks to proactively identify the risks that the organisation should manage using a consultative process with key stakeholders and assumes effective context setting in the previous step.


This process will usually involve:

  • A workshop including all key stakeholders (i.e. those that are best equipped to identify and assess the risks and those who will be involved in risk mitigating processes/actions)

  • Identification of risks through a brainstorming process

  • Documentation of risks in a Risk Register

  • Verification of the output by key stakeholders.




This list should always be wide-ranging as unidentified risks can cause major losses through missed opportunities or adverse events occurring. ‘Brainstorming’ will always produce a broad range of ideas and all things should be considered as potential risks.


Relevant stakeholders are the subject experts when considering potential risks to the objectives of the work environment and should be included in all risk assessments being undertaken.


All efforts should be made to identify risk proactively, however risks may also be identified reactively through identification of an issue or an incident. Where this is the case, and there is a future potential for the issue or incident to occur again, it should be recorded as a risk.


Risk identification is ideally undertaken in conjunction with annual business or strategic planning processes. This planning process involves setting of the context and review of existing risks as well as identification and capture of new risks. The process would typically involve a workshop including key stakeholders, facilitated by relevant risk personnel.


When identifying risks, consider the following:

  • What can happen?

  • Why will it happen?

  • Where will it happen?

  • When will it happen?

  • How will it happen?


Risks can also be identified through other business operations including policy and procedure development, external audits, customer complaints, incidents, systems analysis and historical factors.

34 views0 comments

Recent Posts

See All

Risk evaluation uses the information obtained during the analysis to make decisions about whether the risk is acceptable in its current state or whether further action needs to be taken to mitigate th

Risk analysis is the process of developing an understanding of each risk. This involves analysing the causes of risk, consequence and likelihood, identification of the effectiveness of existing contro

Establishing the context defines the parameters within which risks should be identified, prioritised and managed. Some areas that can be considered in determining the context include: Scope and struct