The process of identifying risks to be managed is best undertaken by breaking down the subject of the risk assessment into key parts or topics, as established in the risk management context.
Before undertaking the risk identification process, it is important to gather information pertaining to historical incidents and emerging issues pertaining to the subject of the risk assessment activity. This may include data specific to the organisation and general information relevant to the subject under assessment. This information may be gathered using a range of sources including, but not limited to internal incident data, results from audits, staff interviews or group discussions, questionnaires and open source data.
The process adopted for identifying a comprehensive list of risks will be dictated by time and budget constraints. Where the risk assessment activity requires consideration of a broad range of risks, a staged approach may be appropriate. A high level assessment may be undertaken to identify and assign priorities to focus detailed analysis on areas of the highest priority.
The risk identification process is most effective when key stakeholders are involved in structured brainstorming workshops. Each key part or topic is reviewed one by one and the following factors identified:
What are the sources of risk or threat - the things which have the inherent potential to harm or facilitate harm?
What could happen - events or incidents that could occur whereby the source of risk or threat has an impact on the achievement of objectives?
Where - the physical locations/assets where the event could occur or where the direct or indirect consequences may be experienced.
When - specific times or time periods when the event is likely to occur and or the consequences realised.
How - the manner or method in which the risk event or incident could occur?
Causes - what are the direct and indirect factors that create the source of risk or threat?
Business consequences - what would be the impact on objectives if the risk was realised?
Business areas / stakeholders affected - what parts of the organisation and what stakeholders might be involved or impacted?
Existing Controls - a preliminary review of existing controls is undertaken to identify (detailed review is completed during the risk analysis process):
What controls currently exist to minimise the likelihood and consequences of each risk?
What vulnerabilities exist that could undermine the effectiveness of the controls?
When each part or key topic has been reviewed and a list of all risks established, consideration is given to whether the list is comprehensive, the objectives and scope of the risk assessment activity have been adequately covered and whether the information relied upon is valid and credible.
Risk should be consolidated in a risk register for further analysis - you may wish to use our free risk register.